You are not logged in.

#1 2016-11-26 14:35:48

mxfm
Member
Registered: 2015-10-23
Posts: 163

[SOLVED] DNScrypt is not working

Hi!

I have problems with making dnscrypt working. I followed wiki article, unfortunately I received network errors. I decided to launch dnscrypt-proxy manually to see what is wrong without systemd bloat.

So there is manual launching of dnscrypt:

sudo dnscrypt-proxy -R dnscrypt.eu-nl

In journal log there is:

dnscrypt-proxy[601]: Starting dnscrypt-proxy 1.7.0
dnscrypt-proxy[601]: Generating a new session key pair
dnscrypt-proxy[601]: Done

Then, I have nameserver 127.0.0.1 in resolv.conf, everything else is commented out. I ping any server name.

After I watch in wireshark packets from 127.0.0.1:39230 to 127.0.0.1:53 with dns requests. After several seconds there are packets from my ip to 51.254.115.48:443. There are no replies at all. After sending dozen packets I receive ICMP packet from router type 3 code 13 (destination unreachable - communication administratively filtered).

In addition, there are also errors related to DNScrypt.

dnscrypt-proxy[601]: Refetching server certificates
dnscrypt-proxy[601]: Unable to retrieve server certificates

So, is my ISP blocking alternative DNS?

Last edited by mxfm (2017-01-02 14:59:47)

Offline

#2 2016-12-28 14:30:04

rdeckard
Wiki Maintainer
Registered: 2015-01-28
Posts: 137

Re: [SOLVED] DNScrypt is not working

Update to 1.8.1 and see if you still have the problem. https://dnsleaktest.com will help you to see if your ISP is overriding your DNS.

Offline

#3 2017-01-02 14:59:21

mxfm
Member
Registered: 2015-10-23
Posts: 163

Re: [SOLVED] DNScrypt is not working

rdeckard wrote:

Update to 1.8.1 and see if you still have the problem. https://dnsleaktest.com will help you to see if your ISP is overriding your DNS.

Thanks for reply. I am using version from arch, which seems to be the most recent (1.9).

Today I approached the problem again and it seems that my ISP is blocking UDP packets to (probably) any port (may be because I am behind NAT). I used wireshark to look at the traffic. When I select some resolver by name, I see outbound traffic to the correct IP server address (according to cvs data file) without any reply. In the console dnscrypt shows error "Unable to retrieve server certificates". Approximately once per 10 requests I receive ICMP error 3 reason 13 message from my ISP gateway (which means that destination is unreacheable because communication is administratively filtered).

I suspected that ISP is blocking 443 port and selected servers with other ports:55, 2053, 5553, however it did not work for same reasons.

I managed to connect at local wifi hotspot which does not blocks ports, so it seems to be really ISP issue.

Offline

Board footer

Powered by FluxBB